(CP/CPS) Starfield Technologies, LLC Certificate Policy and Certification Practice Statement - Version 4.13 September 8, 2021 Starfield CP-CPS ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Starfield Technologies, LLC
Certificate Policy
and
Certification Practice Statement
(CP/CPS)
Version 4.13
September 8, 2021
i Starfield CP-CPS v4.13Table of Contents
1 INTRODUCTION ...............................................................................................................0
1.1 Overview .....................................................................................................................0
1.2 Document Name and Identification ..............................................................................0
1.2.1 Document History ................................................................................................0
1.3 PKI Participants ...........................................................................................................2
1.3.1 Certification Authorities .......................................................................................2
1.3.2 Registration Authorities .......................................................................................3
1.3.3 Subscribers ..........................................................................................................4
1.3.4 Relying Parties .....................................................................................................4
1.3.5 Other Participants.................................................................................................4
1.4 Certificate Usage .........................................................................................................4
1.4.1 Appropriate Certificate Uses ................................................................................5
1.4.2 Prohibited Certificate Uses ...................................................................................5
1.5 Policy Administration ..................................................................................................5
1.5.1 Organization Administering the Document ..........................................................5
1.5.2 Contact Person .....................................................................................................5
1.5.3 Person Determining CPS Suitability for the Policy ...............................................5
1.5.4 CPS Approval Procedure......................................................................................5
1.6 Definitions and Acronyms ...........................................................................................6
2 PUBLICATION AND REPOSITORY RESPONSIBILITIES ...........................................10
2.1 Repositories ...............................................................................................................10
2.2 Publication of Certification Information.....................................................................10
2.3 Time or Frequency of Publication ..............................................................................10
2.4 Access Controls on Repositories ................................................................................10
3 IDENTIFICATION AND AUTHENTICATION ...............................................................11
3.1 Naming ......................................................................................................................11
3.1.1 Types of Names .................................................................................................11
3.1.2 Need for Names to be Meaningful ......................................................................11
3.1.3 Anonymity or Pseudonymity of Subscribers.......................................................11
3.1.4 Rules for Interpreting Various Name Forms .......................................................11
3.1.5 Uniqueness of Names .........................................................................................11
3.1.6 Recognition, Authentication and Role of Trademarks.........................................11
3.2 Initial Identity Validation ...........................................................................................11
3.2.1 Method to Prove Possession of Private Key........................................................12
3.2.2 Authentication of Organization and Domain Identity..........................................12
3.2.3 Authentication of Individual Identity..................................................................18
3.2.4 Non-verified Subscriber Information ..................................................................19
3.2.5 Validation of Authority ......................................................................................19
3.2.6 Criteria for Interoperation ..................................................................................19
3.3 Identification and Authentication for Re-key Requests ...............................................19
3.3.1 Identification and Authentication for Routine Re-key .........................................19
3.3.2 Identification and Authentication for Re-key After Revocation ..........................19
3.4 Identification and Authentication for Revocation Request ..........................................19
4 CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS................................20
ii Starfield CP-CPS v4.134.1 Certificate Application ...............................................................................................20
4.1.1 Who Can Submit a Certificate Application.........................................................20
4.1.2 Enrollment Process and Responsibilities ............................................................20
4.2 Certificate Application Processing .............................................................................20
4.2.1 Performing Identification and Authentication Functions .....................................20
4.2.2 Approval or Rejection of Certificate Applications ..............................................21
4.2.3 Time to Process Certificate Applications ............................................................21
4.3 Certificate Issuance ....................................................................................................21
4.3.1 CA Actions During Certificate Issuance .............................................................21
4.3.2 Notification to Subscriber by the CA of Issuance of Certificate ..........................21
4.4 Certificate Acceptance ...............................................................................................21
4.4.1 Conduct Constituting Certificate Acceptance .....................................................21
4.4.2 Publication of the Certificate by the CA .............................................................21
4.4.3 Notification of Certificate Issuance by the CA to Other Entities .........................21
4.5 Key Pair and Certificate Usage ..................................................................................22
4.5.1 Subscriber Private Key and Certificate Usage ....................................................22
4.5.2 Relying Party Public Key and Certificate Usage .................................................22
4.6 Certificate Renewal ...................................................................................................22
4.6.1 Circumstance for Certificate Renewal ................................................................22
4.6.2 Who May Request Renewal ...............................................................................22
4.6.3 Processing Certificate Renewal Requests ...........................................................22
4.6.4 Notification of New Certificate Issuance to Subscriber.......................................22
4.6.5 Conduct Constituting Acceptance of a Renewal Certificate ................................22
4.6.6 Publication of the Renewal Certificate by the CA...............................................22
4.6.7 Notification of Certificate Issuance by the CA to Other Entities .........................23
4.7 Certificate Re-key ......................................................................................................23
4.7.1 Circumstance for Certificate Re-key...................................................................23
4.7.2 Who May Request Certification of a New Public Key ........................................23
4.7.3 Processing Certificate Re-keying Requests .........................................................23
4.7.4 Notification of New Certificate Issuance to Subscriber.......................................23
4.7.5 Conduct Constituting Acceptance of a Re-keyed Certificate ...............................23
4.7.6 Publication of the Re-keyed Certificate by the CA .............................................23
4.7.7 Notification of Certificate Issuance by the CA to Other Entities .........................23
4.8 Certificate Modification .............................................................................................23
4.8.1 Circumstance for Certificate Modification..........................................................23
4.8.2 Who May Request Certificate Modification .......................................................23
4.8.3 Processing Certificate Modification Requests .....................................................24
4.8.4 Notification of New Certificate Issuance to Subscriber.......................................24
4.8.5 Conduct Constituting Acceptance of Modified Certificate ..................................24
4.8.6 Publication of the Modified Certificate by the CA ..............................................24
4.8.7 Notification of Certificate Issuance by the CA to Other Entities .........................24
4.9 Certificate Revocation and Suspension ......................................................................24
4.9.1 Circumstances for Revocation ............................................................................24
4.9.2 Who Can Request Revocation ............................................................................24
4.9.3 Procedure for Revocation Request......................................................................24
4.9.4 Revocation Request Grace Period ......................................................................25
iii Starfield CP-CPS v4.134.9.5 Time Within Which CA Must Process the Revocation Request ..........................25
4.9.6 Revocation Checking Requirement for Relying Parties ......................................25
4.9.7 CRL Issuance Frequency....................................................................................26
4.9.8 Maximum Latency for CRLs (if applicable) .......................................................26
4.9.9 On-line Revocation/Status Checking Availability ...............................................26
4.9.10 On-line Revocation Checking Requirements ......................................................26
4.9.11 Other Forms of Revocation Advertisements Available .......................................26
4.9.12 Special Requirements Regarding Key Compromise............................................26
4.9.13 Circumstances for Suspension ............................................................................27
4.9.14 Who Can Request Suspension ............................................................................27
4.9.15 Procedure for Suspension Request......................................................................27
4.9.16 Limits on Suspension Period ..............................................................................27
4.10 Certificate Status Services .........................................................................................27
4.10.1 Operational Characteristics ................................................................................27
4.10.2 Service Availability............................................................................................27
4.10.3 Optional Features ...............................................................................................28
4.11 End of Subscription ...................................................................................................28
4.12 Key Escrow and Recovery .........................................................................................28
4.12.1 Key Escrow and Recovery Policy and Practices .................................................28
4.12.2 Session Key Encapsulation and Recovery Policy and Practices ..........................28
5 FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS ...............................28
5.1 Physical Controls .......................................................................................................28
5.1.1 Site Location and Construction ..........................................................................28
5.1.2 Physical Access..................................................................................................28
5.1.3 Power and Air Conditioning...............................................................................28
5.1.4 Water Exposures ................................................................................................28
5.1.5 Fire Prevention and Protection ...........................................................................28
5.1.6 Media Storage ....................................................................................................29
5.1.7 Waste Disposal ..................................................................................................29
5.1.8 Offsite Backup ...................................................................................................29
5.2 Procedural Controls ...................................................................................................29
5.2.1 Trusted Roles .....................................................................................................29
5.2.2 Number of Persons Required Per Task ...............................................................29
5.2.3 Identification and Authentication for Each Role .................................................29
5.2.4 Roles requiring separation of duties ...................................................................30
5.3 Personnel Controls .....................................................................................................30
5.3.1 Qualifications, Experience, and Clearance Requirements ...................................30
5.3.2 Background Check Procedures ...........................................................................30
5.3.3 Training Requirements .......................................................................................30
5.3.4 Retraining Frequency and Requirements ............................................................30
5.3.5 Job Rotation Frequency and Sequence ...............................................................31
5.3.6 Sanctions for Unauthorized Actions ...................................................................31
5.3.7 Independent Contractor Requirements................................................................31
5.3.8 Documentation Supplied to Personnel ................................................................31
5.4 Audit Logging Procedures .........................................................................................31
5.4.1 Types of Events Recorded ..................................................................................31
iv Starfield CP-CPS v4.135.4.2 Frequency of Processing Log .............................................................................32
5.4.3 Retention Period for Audit Log ..........................................................................32
5.4.4 Protection of Audit Log......................................................................................32
5.4.5 Audit Log Backup Procedures ............................................................................32
5.4.6 Audit Collection System (Internal vs. External)..................................................32
5.4.7 Notification to Event-Causing Subject................................................................32
5.4.8 Vulnerability Assessments .................................................................................33
5.5 Records Archival .......................................................................................................33
5.5.1 Types of Records Archived ................................................................................33
5.5.2 Retention Period for Archive..............................................................................33
5.5.3 Protection of Archive .........................................................................................33
5.5.4 Archive Backup Procedures ...............................................................................33
5.5.5 Requirements for Time-Stamping of Records .....................................................33
5.5.6 Archive Collection System (Internal or External) ...............................................33
5.5.7 Procedures to Obtain and Verify Archive Information ........................................34
5.6 Key Changeover ........................................................................................................34
5.7 Compromise and Disaster Recovery ..........................................................................34
5.7.1 Incident and Compromise Handling Procedures .................................................34
5.7.2 Computing Resources, Software, and/or Data are Corrupted ..............................34
5.7.3 Entity Private Key Compromise Procedures .......................................................34
5.7.4 Business Continuity Capabilities After a Disaster...............................................34
5.8 CA or RA Termination ..............................................................................................34
6 TECHNICAL SECURITY CONTROLS ...........................................................................35
6.1 Key Pair Generation and Installation..........................................................................35
6.1.1 Key Pair Generation ...........................................................................................35
6.1.2 Private Key Delivery to Subscriber ....................................................................35
6.1.3 Public Key Delivery to Certificate Issuer ...........................................................35
6.1.4 CA Public Key Delivery to Relying Parties ........................................................35
6.1.5 Key Sizes ...........................................................................................................35
6.1.6 Public Key Parameters Generation and Quality Checking ..................................37
6.1.7 Key Usage Purposes...........................................................................................37
6.2 Private Key Protection and Cryptographic Module Engineering Controls ..................37
6.2.1 Cryptographic Module Standards and Controls ..................................................37
6.2.2 Private Key Multi-Person Control ......................................................................37
6.2.3 Private Key Escrow............................................................................................38
6.2.4 Private Key Backup ...........................................................................................38
6.2.5 Private Key Archival..........................................................................................38
6.2.6 Private Key Transfer Into or From a Cryptographic Module ...............................38
6.2.7 Private key storage on cryptographic module .....................................................38
6.2.8 Method of Activating Private Keys ....................................................................38
6.2.9 Method of Deactivating Private Key ..................................................................38
6.2.10 Method of Destroying Private Key .....................................................................38
6.2.11 Cryptographic Module Rating ............................................................................39
6.3 Other Aspects of Key Pair Management ....................................................................39
6.3.1 Public Key Archival ...........................................................................................39
6.3.2 Certificate Operational Periods and Key Pair Usage Periods ..............................39
v Starfield CP-CPS v4.136.4 Activation Data..........................................................................................................39
6.4.1 Activation Data Generation and Installation .......................................................39
6.4.2 Activation Data Protection .................................................................................39
6.4.3 Other Aspects of Activation Data .......................................................................40
6.5 Computer Security Controls .......................................................................................40
6.5.1 Specific Computer Security Technical Requirements .........................................40
6.5.2 Computer Security Rating ..................................................................................40
6.6 Life Cycle Technical Controls ...................................................................................40
6.6.1 System Development Controls ...........................................................................40
6.6.2 Security Management Controls ..........................................................................40
6.6.3 Life Cycle Security Controls ..............................................................................40
6.7 Network Security Controls.........................................................................................40
6.8 Time-Stamping ..........................................................................................................41
7 CERTIFICATE, CRL, AND OCSP PROFILES ................................................................41
7.1 Certificate Profile ......................................................................................................41
7.1.1 Version Number.................................................................................................41
7.1.2 Certificate Extensions ........................................................................................41
7.1.3 Algorithm Object Identifiers ..............................................................................41
7.1.4 Name Forms ......................................................................................................41
7.1.5 Name Constraints ...............................................................................................45
7.1.6 Certificate Policy Object Identifier .....................................................................45
7.1.7 Usage of Policy Constraints Extension ...............................................................45
7.1.8 Policy Qualifier Syntax and Semantics ...............................................................45
7.1.9 Processing Semantics for the Critical Certificate Policies Extension ...................46
7.2 CRL Profile ...............................................................................................................46
7.2.1 Version Number.................................................................................................46
7.2.2 CRL and CRL Entry Extensions.........................................................................46
7.3 OCSP Profile .............................................................................................................47
7.3.1 Version Number.................................................................................................47
7.3.2 OCSP Extensions ...............................................................................................47
8 COMPLIANCE AUDIT AND OTHER ASSESSMENTS .................................................48
8.1 Frequency or Circumstances of Assessment ...............................................................48
8.2 Identity/Qualifications of Assessor ............................................................................48
8.3 Assessor's Relationship to Assessed Entity ................................................................48
8.4 Topics Covered by Assessment ..................................................................................48
8.5 Actions Taken as a Result of Deficiency ....................................................................48
8.6 Communication of Results .........................................................................................48
8.7 Self –Audits ...............................................................................................................49
8.8 Specification Administration......................................................................................49
8.8.1 Specification Change Procedures .......................................................................49
8.8.2 Publication and Notification Policies..................................................................49
8.9 CPS Approval Procedures ..........................................................................................49
9 OTHER BUSINESS AND LEGAL MATTERS ................................................................49
9.1 Fees ...........................................................................................................................49
9.1.1 Certificate Issuance or Renewal Fees .................................................................49
9.1.2 Certificate Access Fees ......................................................................................49
vi Starfield CP-CPS v4.139.1.3 Revocation or Status Information Access Fees ...................................................49
9.1.4 Fees for Other Services ......................................................................................50
9.1.5 Refund Policy ....................................................................................................50
9.2 Financial Responsibility.............................................................................................50
9.2.1 Insurance Coverage ............................................................................................50
9.2.2 Other Assets .......................................................................................................50
9.2.3 Insurance or Warranty Coverage for End-entities ...............................................50
9.3 Confidentiality of Business Information.....................................................................51
9.3.1 Scope of Confidential Information .....................................................................51
9.3.2 Information not Within the Scope of Confidential Information ...........................51
9.3.3 Responsibility to Protect Confidential Information .............................................51
9.4 Privacy of Personal Information.................................................................................51
9.4.1 Privacy Plan .......................................................................................................51
9.4.2 Information Treated as Private ...........................................................................51
9.4.3 Information Not Deemed Private........................................................................51
9.4.4 Responsibility to Protect Private Information .....................................................51
9.4.5 Notice and Consent to Use Private Information ..................................................51
9.4.6 Disclosure Pursuant to Judicial or Administrative Process ..................................52
9.4.7 Other Information Disclosure Circumstances .....................................................52
9.5 Intellectual Property Rights........................................................................................52
9.5.1 Property Rights in Certificates and Revocation Information ...............................52
9.5.2 Property Rights in the Agreement ......................................................................52
9.5.3 Property Rights to Names...................................................................................52
9.5.4 Property Rights in Keys and Key Material .........................................................53
9.6 Representations and Warranties .................................................................................53
9.6.1 CA Representations and Warranties ...................................................................53
9.6.2 RA Representations and Warranties ...................................................................55
9.6.3 Subscriber Representations and Warranties ........................................................55
9.6.4 Relying Party Representations and Warranties ...................................................55
9.6.5 Representations and Warranties of Other Participants.........................................55
9.7 Disclaimers of Warranties ..........................................................................................56
9.7.1 Fiduciary Relationships ......................................................................................56
9.8 Limitations of Liability ..............................................................................................56
9.9 Indemnities ................................................................................................................59
9.9.1 Indemnification by Subscribers ..........................................................................59
9.9.2 Indemnification by Relying Parties ....................................................................59
9.10 Term and Termination ...............................................................................................60
9.10.1 Term ..................................................................................................................60
9.10.2 Termination .......................................................................................................60
9.10.3 Effect of Termination and Survival ....................................................................60
9.11 Individual Notices and Communications with Participants .........................................60
9.12 Amendments..............................................................................................................60
9.12.1 Procedure for Amendment .................................................................................60
9.12.2 Notification Mechanism and Period ...................................................................61
9.12.3 Circumstances Under Which OID Must be Changed ..........................................61
9.13 Dispute Resolution Provisions ...................................................................................61
vii Starfield CP-CPS v4.139.14 Governing Law ..........................................................................................................61
9.15 Compliance with Applicable Law ..............................................................................61
9.16 Miscellaneous Provisions ...........................................................................................61
9.16.1 Entire Agreement ...............................................................................................61
9.16.2 Assignment ........................................................................................................61
9.16.3 Severability ........................................................................................................61
9.16.4 Enforcement.......................................................................................................62
9.16.5 Force Majeure ....................................................................................................62
9.17 Other Provisions ........................................................................................................62
10 APPENDIX A – CERTIFICATE PROFILES ....................................................................62
10.1 Root CAs ...................................................................................................................62
10.2 Issuing CA .................................................................................................................65
10.3 Cross CA Certificates ................................................................................................66
10.4 End Entity SSL Certificates .......................................................................................71
10.5 End Entity Code Signing Certificates .........................................................................82
viii Starfield CP-CPS v4.131 INTRODUCTION
Starfield Technologies is an innovator in the field of Internet foundation services, providing
advanced software and Internet solutions critical to the building of online presence and e-
commerce.
The Starfield Public Key Infrastructure (“Starfield PKI”) has been established to provide a
variety of digital certificate services.
1.1 Overview
This Certificate Policy and Certification Practice Statement (CP/CPS) describes the practices of
the Starfield PKI and applies to all Certification Authorities (CAs) within the Starfield PKI
hierarchy. This CP/CPS is applicable to all entities with relationships with the Starfield PKI,
including Policy Authorities (PAs), Certification Authorities (CAs), Registration Authorities
(RAs), Subscribers, and Relying Parties.
The Starfield PKI conforms to the current version of the Baseline Requirements for the Issuance
and Management of Publicly-Trusted Certificates published at http://www.cabforum.org. In the
event of any inconsistency between this document and those Requirements, those Requirements
take precedence over this document. The following policy identifiers are managed in accordance
with these requirements: 2.23.140.1.2.1, 2.23.140.1.2.2, 2.23.140.1.2.3, and 2.23.140.1.1
The Starfield PKI conforms to the current version of the CA/Browser Forum Guidelines for
Issuance and Management of Extended Validation Certificates published at
http://www.cabforum.org. In the event of any inconsistency between this document and those
Guidelines, those Guidelines take precedence over this document.
1.2 Document Name and Identification
This document is formally referred to as the “Starfield Certificate Policy and Certification
Practice Statement” (Starfield CP/CPS). Starfield CAs issue certificates in accordance with the
policy and practice requirements of this document.
The OID-arcs associated with this document are 2.16.840.1.114413 and 2.16.840.1.114414.
1.2.1 Document History
Version Effective Date Change Summary
3.12 August 15, 2017 • Added this changelog
• Updated 3.3.9 to state that Starfield now relies on 3rd
party data sources to identify high risk requests
• Updated section 4.1.1 to confirm that Starfield now
processes CAA records
3.12.2 November 9, • Corrected the 3.1.8 section to reference valid
2017 subsections
Copyright © 2004-2021 Starfield Technologies, LLC All rights reserved.
0 Starfield CP-CPS v4.133.13 September 18, • Reformat to RFC 3647 Part 1
2018
4.0 September 27, • Reformat to RFC 3647 Part 2
2018
4.1 May 14, 2019 • Added text to sections 1.4 and 1.4.1
• Updated section 9.8
4.2 March 11, 2020 • Updated to reflect Mozilla Root Store requirements
• Updated section 3.2
4.3 May 26, 2020 • Updated section 7.2 to show both versions of CRL
4.4 June 19, 2020 • Updated section 4.9.4 in accordance to BRs
4.5 July 23, 2020 • Removed the G3 and G4 roots from 1.3.1, 3.2.2.4.9
and Appendix A
4.6 July 30, 2020 • Updated link to repository in section 2.1
4.7 August 31, 2020 • Updated section 6.3.2 to reflect 398 day maximum
validity period
• Updated section 2.1 to reflect updated repository link
4.8 September 30, • Updated 7.2.2.1 and 7.2.2.2 to remove reason code 6
2020 • Updated section 3.2 to add link to agency disclosure
list
• Updated sections 10.4 and 10.5 to reflect SHA2
• Updates section 8.6 to acknowledge new audit
requirements
4.9 October 21, 2020 • Added section 9.16.5 Force Majeure
• Updated sections 1.6 and 4.9.1 to add definitions and
details to revocation
4.10 April 19, 2021 • Updated section 1.5.2 with more clear instructions for
Certificate Problem Report
• Updated section 4.2.2 to indicate that SOD is also
applicable to Code Signing
• Updated section 5.4.3 to reflect the 7 years retention
period for audit log
4.11 June 10, 2021 • Updated section 1.4 to indicate Code signing EOL as
of May 30, 2021
• Updated section 4.9.12 to specify methods used to
demonstrate private key compromise
4.12 July 9, 2021 • Updated section 1.4 to reflect Code Signing policy
updates in relation to Code Signing EOL
• Updated section 1.5.2 to reflect new company address
• Updated section 3.2.2 header to include Domain
• Added section 3.2.2.4.20 TLS Using ALPN (Ballot
SC33)
• Removed Code Signing references in the following
sections: 1.1, 3.2, 4.2.2, 6.3.2, 7.1.6, 8.7, 10.2
• Updated section 10.5 in relation to Code Signing EOL
Copyright © 2004-2021 Starfield Technologies, LLC All rights reserved.
1 Starfield CP-CPS v4.134.13 September 8, • Updated section 10.4 to reflect removal of OU (Ballot
2021 SC47)
• Ballot SC48 clean up:
o Replaced all instances of Fully Qualified with
Fully-Qualified
o Added and updated some definitions in 1.6.1
o Updated applicable sections under 3.2.2.4 to
replace instances of label(s) with Domain
Label(s)
• Added subsections to 7.1.4 Name Forms: 7.1.4.1,
7.1.4.2, 7.1.4.2.1, 7.1.4.2.2, 7.1.4.3, 7.1.4.3.1.
• Added 3.2.2.5 Authentication for an IP Address, and
3.2.2.6 Wildcard Domain Validation. Re-numbered
Data Source Accuracy to 3.2.2.7.
1.3 PKI Participants
This CP/CPS is applicable to all certificates issued by Starfield CAs within the Starfield PKI.
This document defines the specific communities for which a specific class or type of certificate
is applicable, specific Starfield PKI practices and requirements for the issuance and management
of such certificates, and the intended purposes and uses of such certificates.
1.3.1 Certification Authorities
Starfield Certification Authorities (CAs) perform the following general functions:
• Create and sign certificates
• Distribute certificates to the appropriate Subscribers and Relying Parties
• Revoke certificates
• Distribute certificate status information in the form of Certificate Revocation Lists
(CRLs) or other mechanisms
• Provide a repository where certificates and certificate status information are stored and
made available (if applicable).
Obligations of the CAs within the Starfield PKI include:
• Generating, issuing and distributing public key certificates
• Distributing CA certificates
• Generating and publishing certificate status information (such as CRLs)
• Maintaining the security, availability, and continuity of the certificate issuance and CRL
signing functions
• Providing a means for Subscribers to request revocation
• Revoking public-key certificates
• Periodically demonstrating internal or external audited compliance with this CP/CPS.
Within the Starfield PKI, there are two general types of CAs: Root and Issuing CAs. Currently,
the Starfield PKI hierarchy consists of the CAs in the diagrams below. Relationships between
these CA certificates are represented in the following diagrams:
Copyright © 2004-2021 Starfield Technologies, LLC All rights reserved.
2 Starfield CP-CPS v4.13Starfield Class 2 Go Daddy Class 2
Certification Authority Certification Authority
(SHA-1) (SHA-1)
Cross-signs Starfield Starfield Services Root
Starfield Secure Cross-signs Starfield Go Daddy Secure Cross-signs Go Daddy
Services Root Certificate Certificate Authority (SHA-
Certification Authority Root Certificate Certification Authority Root Certificate
Authority - G2 (operated 1)
(SHA-1) Authority - G2 (SHA-1) Authority - G2
by Amazon)
All types of SSL and code All types of SSL and Cross-signs Starfield
signing certificates (SHA- code signing certificates Services Root Certificate
1) (SHA-1) Authority - G2 (operated by
Amazon)
Starfield Root Go Daddy Root
Certificate Authority Certificate Authority -
- G2 G2
Go Daddy Secure
Starfield Secure Starfield Secure Code Starfield Secure Go Daddy Secure Go Daddy Secure
Code Signing
Certificate Authority Signing Certificate Extended Validation Certificate Authority - Extended Validation
Certificate Auhtority -
- G2 Auhtority - G2 Code Signing CA - G2 G2 Code Signing CA - G2
G2
All types of SSL and All types of SSL and
code signing code signing
certificates certificates
1.3.2 Registration Authorities
Registration Authorities (RAs) evaluate and either approve or reject Subscriber certificate
management transactions (including certificate requests, renewal and re-key requests, and
revocation requests). Starfield serves as the sole RA for the Starfield PKI.
Obligations of the Registration Authorities (RAs) within the Starfield PKI include:
• Obtaining a public-key from the Subscriber
• Identifying and authenticating Subscribers in accordance with this CP/CPS
• Verifying that the Subscriber possesses the asymmetric private key corresponding to the
public-key submitted for certification
• Receiving, authenticating and processing certificate revocation requests
• Providing suitable training to personnel performing RA functions.
For the Starfield Root CAs the Subscribers are Subordinate CAs that are under the control of
Starfield. Accordingly, the RA function for these CAs is performed manually by authorized
Starfield PKI personnel.
Copyright © 2004-2021 Starfield Technologies, LLC All rights reserved.
3 Starfield CP-CPS v4.13For the Starfield Issuing CAs, the RA function is performed by Starfield using a combination of
automated and manual processes.
1.3.3 Subscribers
For the Root CAs, the Subscribers include subordinate CAs. For Starfield Issuing CAs,
Subscribers typically include organizations and individuals.
Obligations of Subscribers within the Starfield PKI include:
• Generating or causing to be generated one or more asymmetric key pairs
• Submitting public keys and credentials for registration
• Providing information to the RA that is accurate and complete to the best of the
Subscribers’ knowledge and belief regarding information in their certificates and
identification and authentication information
• Taking appropriate measures to protect their private keys from compromise
• Promptly reporting loss or compromise of private key(s) and inaccuracy of certificate
information
• Using its key pair(s) in compliance with this CP/CPS.
1.3.4 Relying Parties
Relying Parties include any entity that may rely upon a Starfield certificate for purposes of
determining the organizational or individual identity of an entity providing a web site, data
encryption, digital signature verification, and user authentication.
Obligations of Relying Parties within the Starfield PKI include:
• Confirming the validity of Subscriber public-key certificates
• Verifying that Subscriber possesses the asymmetric private key corresponding to the
public-key certificate (e.g., through digital signature verification)
• Using the public-key in the Subscriber’s certificate in compliance with this CP/CPS.
1.3.5 Other Participants
Not applicable.
1.4 Certificate Usage
Starfield offers TLS Certificates in the following levels of assurance:
Assurance Level Certificate Validation Type
Basic and Medium Assurance Domain Validation (DV)
High Assurance Organization and Individual Validation (OV)
Extended Validation Extended Validation (EV)
As of May 30, 2021, Starfield no longer issues High Assurance Code Signing Certificates and
will no longer update this CP/CPS for Code Signing related changes to the Baseline
Requirements. Code Signing references were removed in v4.12. Refer to Certificate Policy and
Certification Practice Statement v4.11 in Starfield’s Repository, for most recent policy
containing Code Signing references.
Copyright © 2004-2021 Starfield Technologies, LLC All rights reserved.
4 Starfield CP-CPS v4.131.4.1 Appropriate Certificate Uses
A certificate issued by Starfield shall be used only as designated by the terms of this CP/CPS and
any service agreements. However, the sensitivity of the information processed or protected by a
Certificate varies greatly, and each Relying Party must evaluate the associated risks before
deciding on whether to rely on a Certificate issued under this CPS.
1.4.2 Prohibited Certificate Uses
As defined in the applicable Subscriber Agreement.
1.5 Policy Administration
1.5.1 Organization Administering the Document
This CP/CPS is administered by the Starfield Governance and Policy Committee.
1.5.2 Contact Person
Starfield Technologies, LLC
2155 E Warner Rd.
Tempe, AZ 85284
Phone: 480-505-8800
E-mail: practices@starfieldtech.com
In case of a Certificate Problem Report, that concerns a key compromised certificate, a misissued
certificate, or any other type of suspicious activity with a certificate, contact us at (480) 505-
8852, or practices@starfieldtech.com.
The Starfield Governance and Policy Committee consists of representatives from executive
management, corporate security, PKI operations, and legal.
Obligations of the Starfield Governance and Policy Committee (GPC) include:
• Approving and maintaining this CP/CPS
• Interpreting adherence to this CP/CPS
• Specifying the content of public-key certificates
• Resolving or causing resolution of disputes related to this CP/CPS
• Remaining current regarding security threats and ensuring that appropriate actions are
taken to counteract significant threats.
1.5.3 Person Determining CPS Suitability for the Policy
The Starfield Governance and Policy Committee determines the suitability of this CPS for the
policy based on the results of independent audits.
1.5.4 CPS Approval Procedure
All changes to this document are approved by a quorum of The Starfield Governance and Policy
Committee.
Copyright © 2004-2021 Starfield Technologies, LLC All rights reserved.
5 Starfield CP-CPS v4.131.6 Definitions and Acronyms
• Applicant - the natural person or legal entity that applies for (or seeks renewal of) a
Certificate. Once the Certificate issues, the Applicant is referred to as the Subscriber.
• Applicant Representative - a natural person or human sponsor who is either the
Applicant, employed by the Applicant, or an authorized agent who has express authority
to represent the Applicant: (i) who signs and submits, or approves a certificate request on
behalf of the Applicant, and/or (ii) who signs and submits a Subscriber Agreement on
behalf of the Applicant, and/or (iii) who acknowledges and agrees to the Certificate
Terms of Use on behalf of the Applicant when the Applicant is an Affiliate of the CA.
• Attestation Letter - a letter attesting that Subject Information is correct written by an
accountant, lawyer, government official, or other reliable third party customarily relied
upon for such information.
• Authorization Domain Name - The FQDN used to obtain authorization for a given FQDN
to be included in a Certificate. The CA may use the FQDN returned from a DNS
CNAME lookup as the FQDN for the purposes of domain validation. If a Wildcard
Domain Name is to be included in a Certificate, then the CA MUST remove "`*.`" from
the left-most portion of the Wildcard Domain Name to yield the corresponding FQDN.
The CA may prune zero or more Domain Labels of the FQDN from left to right until
encountering a Base Domain Name and may use any one of the values that were yielded
by pruning (including the Base Domain Name itself) for the purpose of domain
validation.
• Authorized Port - one of the following ports: 80 (http), 443 (http), 115 (sftp), 25 (smtp),
22 (ssh).
• Base Domain Name - the portion of an applied‐for FQDN that is the first Domain Name
node left of a registry-controlled or public suffix plus the registry‐controlled or public
suffix. (e.g. “example.co.uk” or “example.com”). For FQDNs where the right‐most
Domain Name node is a gTLD having ICANN Specification 13 in its registry agreement,
the gTLD itself may be used as the Base Domain Name.
• Basic Assurance – Starfield’s vetting process that verifies access to the domain
• Baseline Requirements (BR) - Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates published by the CA/Browser Forum
(http://www.cabforum.org)
• CAA – From RFC 8659 (http://tools.ietf.org/html/rfc8659): "The Certification Authority
Authorization (CAA) DNS Resource Record allows a DNS domain name holder to
specify one or more Certification Authorities (CAs) authorized to issue certificates for
that domain name. CAA Resource Records allow a public CA to implement additional
controls to reduce the risk of unintended certificate mis-issue."
• CA Key Pair – A Key Pair where the Public Key appears as the Subject Public Key Info
in one or more Root CA Certificate(s) and/or Subordinate CA Certificate(s).
• Certificate - digital record that contains information such as the Subscriber’s
distinguished name and public key, and the signer's signature and data
Copyright © 2004-2021 Starfield Technologies, LLC All rights reserved.
6 Starfield CP-CPS v4.13• Certificate Revocation List (CRL) – periodically published listing of all certificates that
have been revoked for use by Relying Parties
• Certificate Signing Request (CSR) – a message sent to the certification authority
containing the information required to issue a digital certificate
• Certification Authority (CA) – see 1.3.1
• Code Signing Certificate – a certificate issued to an organization for the purpose of
digitally signing software
• Compromise - a loss, theft, disclosure, modification, unauthorized use, or other breach of
security related to a Private Key
• Custom Certificate – a certificate profile defined for a specific, non-standard usage
• Distinguished Name (DN) – a globally unique identifier representing a Subscriber
• Domain Authorization Document - documentation provided by, or a CA’s documentation
of a communication with, a Domain Name Registrar attesting to the authority of an
Applicant to request a Certificate for a specific domain namespace.
• Domain Contact - the Domain Name Registrant, technical contact, or administrative
contract (or the equivalent under a ccTLD) as listed in the WHOIS record of the Base
Domain Name or in a DNS SOA record
• Domain Label: From RFC 8499 (http://tools.ietf.org/html/rfc8499): "An ordered list of
zero or more octets that makes up a portion of a domain name. Using graph theory, a
label identifies one node in a portion of the graph of all possible domain names."
• Domain Name - An ordered list of one or more Domain Labels assigned to a node in the
Domain Name System.
• Domain Name Registrant - sometimes referred to as the “owner” of a Domain Name, but
more properly the person(s) or entity(ies) registered with a Domain Name Registrar as
having the right to control how a Domain Name is used, such as the natural person or
Legal Entity that is listed as the “Registrant” by WHOIS or the Domain Name Registrar.
• Domain Name Registrar: a person or entity that registers Domain Names under the
auspices of or by agreement with: (i) the Internet Corporation for Assigned Names and
Numbers (ICANN), (ii) a national Domain Name authority/registry, or (iii) a Network
Information Center (including their affiliates, contractors, delegates, successors, or
assigns).
• Extended Validation (EV) – certificate issued under the Guidelines for the Issuance and
Management of Extended Validation Certificates published by the CA/Browser Forum
(http://www.cabforum.org)
• Fully-Qualified Domain Name (FQDN) - a Domain Name that includes the Domain
Labels of all superior nodes in the Internet Domain Name System
• Governance and Policy Committee (GPC) – the Starfield committee which creates and
maintains the policies related to the Starfield Public Key Infrastructure. Also known as
the Policy Authority Committee (PAC)
Copyright © 2004-2021 Starfield Technologies, LLC All rights reserved.
7 Starfield CP-CPS v4.13• Hardware Security Module (HSM) –a specialized computer hardware system designed to
securely store encryption keys
• High Assurance – Starfield’s vetting process that verifies the identity of the individual or
organization that requested the certificate and access to the domain
• LDH Label: From RFC 5890 (http://tools.ietf.org/html/rfc5890): "A string consisting of
ASCII letters, digits, and the hyphen with the further restriction that the hyphen cannot
appear at the beginning or end of the string. Like all DNS labels, its total length must not
exceed 63 octets."
• Medium Assurance – Starfield’s vetting process that verifies access to the domain
• Non-Reserved LDH Label: From RFC 5890 (http://tools.ietf.org/html/rfc5890): "The set
of valid LDH labels that do not have '--' in the third and fourth positions."
• Online Certificate Status Protocol (OCSP) – A standardized query/response protocol
whereby a client can request the status of a given Certificate and be given a response that
will indicate whether the Certificate is valid or revoked.
• P-Label: A XN-Label that contains valid output of the Punycode algorithm (as defined in
RFC 3492, Section 6.3) from the fifth and subsequent positions.
• Policy Authority Committee – See Governance and Policy Committee
• Private Key – a confidential encrypted electronic data file that interfaces with a Public
Key using the same encryption algorithm, in order to verify Digital Signatures and
encrypt files or messages
• Public Key – an encrypted electronic data file that is publicly available for interfacing
with a Private Key
• Registration Authority (RA) – see 0
• Reliable Data Source - an identification document or source of data used to verify Subject
Identity Information that is generally recognized among commercial enterprises and
governments as reliable, and which was created by a third party for a purpose other than
the Applicant obtaining a Certificate.
• Reliable Method of Communication - a method of communication, such as a
postal/courier delivery address, telephone number, or email address, that was verified
using a source other than the Applicant Representative.
• Relying Party – an individual or entity that acts in reliance on a Certificate or digital
signature associated with a Certificate
• Relying Party Agreement – an agreement which specifies the stipulations under which a
person or organization acts as a Relying Party
• Request Token – A value, derived in a method specified by the CA which binds this
demonstration of control to the certificate request. The CA SHOULD define within its
CPS (or a document clearly referenced by the CPS) the format and method of Request
Tokens it accepts.
The Request Token SHALL incorporate the key used in the certificate request.
Copyright © 2004-2021 Starfield Technologies, LLC All rights reserved.
8 Starfield CP-CPS v4.13You can also read
